Istanbul-based Finansbank manages risk and security using HP ArcSight

Governance, risk management and compliance (GRC) form a top-tier of requirements for banks anywhere in the world as they create and deploy applications. A close second nowadays is speed to market, and rapid responsiveness to changing customer expectations and demands.

So when Finansbank, an Istanbul-based bank, knew they had to better manage risk—but not lose time-to-market advantages—they did a thorough analysis of available IT products and services. The result was an impressive record of managed risk and deployments, with an eye to greater automation over time.

BriefingsDirect had an opportunity to learn first-hand at the recent HP Discover 2013 Conference in Barcelona how Finansbank extended its GRC prowess—while smoothing operational integrity and automating speed to deployment—using several HP solutions.

Learn how from a chat with Ugur Yayvak, Senior Designer of Infrastructure at Finansbank in Istanbul. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tell us a bit about your organization and how you're keeping compliance and risk issues in check?

Yayvak: Finansbank is one of the largest banks in Turkey and it has more than 12,000 employees and 600 branches in the country. Banking is a competitive world in Turkey, and for compliance we have to be rapid. We have to do things faster. And security is a big deal for us.

Because we’re a bank, we need to obey the payment-card industry (PCI) and Sarbanes-Oxley (SOX) rules. To accomplish this, we had to create some scripts to check the data on our servers. It takes lots of time to do compliance reporting. Security is a must for the servers, because of attacks. We need to be compliant and secure, and we need to move fast.

Gardner: And so as you began to look for solutions to these problems, how did you come up with a solution?

Yayvak: First of all, we needed a compliance and integrity-check solution. We did a proof of concept (POC) with three different vendors and we checked for performance, compliance, tool support, ease of use, reporting tools, and the support that the vendor would give us. After all that, we chose HP Server Automation.

We’ve been using it for six months. Three months was for the implementation process, but during implementation, we created our first rules. We did some basic agent rollouts on the servers. Now, we have 90 percent coverage on all of our UNIX servers on the Server Automation site.

Gardner: What have been some of the results? What have you been gaining in terms of better control?

Yayvak: We’re creating monthly reports for our audit teams, and it takes less time. With the help of Server Automation, we’ve scheduled our jobs and the audit rules and reports that we want to share with our audit teams.

It takes much less time than it did before. Also, with the help of the scripts, the daily system administration tasks are very easy. Previously, we were doing everything by hand. With the help of the Server Automation, it’s very simple and we can get the results in much less time.

Gardner: What about the future? Do you have plans to move further, perhaps using ArcSight? Are there other security benefits that you have in mind?

Yayvak: One is to improve audit server automation, because there are some scripts that we’ve changed. Those changes that we’ve done on the servers must be audited. We also want to integrate Server Automation with ArcSight to track the changes that we’ve made. And if we’ve made an error, we will be alerted by the ArcSight server.

Right now, we’re using these solutions across our central data center, and also the disaster recovery site. But maybe later on, we can implement this for the branches to take care of the data servers there.

Gardner: What announcements or advances in the recent HP products capture your interest?

Yayvak: The new version of Server Automation came out this year, and we wanted to know what has changed. Also Finansbank will use lots of HP's products like Service Manager, Orchestration Manager, Operations Manager. This event was a good place to learn what has changed across these services.